fix(core-p2p): validate incoming message json

ArkEcosystem · Dec 3, 2020 · ae8dcd7 · ae8dcd7
1 parent 29eaf10
commit ae8dcd7
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 1 deletion.
diff --git a/packages/core-p2p/package.json b/packages/core-p2p/package.json
@@ -40,6 +40,7 @@
         "hapi-rate-limit": "^4.0.0",
         "ip": "^1.1.5",
         "ipaddr.js": "^1.9.0",
+        "json-validator-duplicated-keys": "^1.0.1",
         "lodash.chunk": "^4.2.0",
         "lodash.flatten": "^4.4.0",
         "lodash.get": "^4.4.2",

diff --git a/packages/core-p2p/src/socket-server/worker.ts b/packages/core-p2p/src/socket-server/worker.ts
@@ -1,6 +1,7 @@
 import { P2P } from "@arkecosystem/core-interfaces";
 import Ajv from "ajv";
 import delay from "delay";
+import { validate } from "json-validator-duplicated-keys";
 
 import { cidr } from "ip";
 import { RateLimiter } from "../rate-limiter";
@@ -133,7 +134,9 @@ export class Worker extends SCWorker {
             } else {
                 try {
                     const parsed = JSON.parse(message);
-                    if (parsed.event === "#disconnect") {
+                    if (validate(message) !== undefined) {
+                        return this.setErrorForIpAndDestroy(req.socket);
+                    } else if (parsed.event === "#disconnect") {
                         req.socket._disconnected = true;
                         if (
                             typeof parsed.data !== "object" ||

diff --git a/yarn.lock b/yarn.lock
@@ -5416,6 +5416,11 @@ babel-preset-jest@^25.1.0:
     "@babel/plugin-syntax-object-rest-spread" "^7.0.0"
     babel-plugin-jest-hoist "^25.1.0"
 
+backslash@^0.2.0:
+  version "0.2.0"
+  resolved "https://registry.yarnpkg.com/backslash/-/backslash-0.2.0.tgz#6c3c1fce7e7e714ccfc10fd74f0f73410677375f"
+  integrity sha1-bDwfzn5+cUzPwQ/XTw9zQQZ3N18=
+
 balanced-match@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.0.tgz#89b4d199ab2bee49de164ea02b89ce462d71b767"
@@ -10045,6 +10050,13 @@ json-stringify-safe@5.x.x, json-stringify-safe@^5.0.0, json-stringify-safe@^5.0.
   resolved "https://registry.yarnpkg.com/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz#1296a2d58fd45f19a0f6ce01d65701e2c735b6eb"
   integrity sha1-Epai1Y/UXxmg9s4B1lcB4sc1tus=
 
+json-validator-duplicated-keys@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/json-validator-duplicated-keys/-/json-validator-duplicated-keys-1.0.1.tgz#cfb24a0013c70a652d69110eceff99fefaf625ce"
+  integrity sha512-rFGhwW21QNCoLCwDeuqN2TtEyiXWmT+huJwBjXk6NAAEvrowkGyiiOKJjlW5v7Th1/WEqFTkS0lzPdQOrPuaNQ==
+  dependencies:
+    backslash "^0.2.0"
+
 json5@2.x, json5@^2.1.0:
   version "2.1.1"
   resolved "https://registry.yarnpkg.com/json5/-/json5-2.1.1.tgz#81b6cb04e9ba496f1c7005d07b4368a2638f90b6"